You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by gl...@apache.org on 2003/03/08 15:20:45 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader WebappClassLoader.java WebappLoader.java
glenn 2003/03/08 06:20:45
Modified: . RELEASE-NOTES-4.1.txt
catalina/src/share/org/apache/catalina/loader
WebappClassLoader.java WebappLoader.java
Log:
Fix bug #17775
Make sure web applications are granted a FilePermission to
read the web application context directory in addition to
its contents.
Minor refactoring and cleanup of code for adding FilePermission's.
Revision Changes Path
1.62 +10 -1 jakarta-tomcat-4.0/RELEASE-NOTES-4.1.txt
Index: RELEASE-NOTES-4.1.txt
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.1.txt,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- RELEASE-NOTES-4.1.txt 7 Mar 2003 10:59:35 -0000 1.61
+++ RELEASE-NOTES-4.1.txt 8 Mar 2003 14:20:44 -0000 1.62
@@ -714,6 +714,11 @@
Session Manager StoreBase
Fix a NPE bug when the background thread expires sessions.
+[4.1.22] #17775
+ WebappClassLoader
+ Grant web applications a FilePermission to read the web application
+ context directory in addition to its contents.
+
----------------
Coyote Bug Fixes:
----------------
@@ -1179,6 +1184,10 @@
[4.1.22] JspC:
Add documentation.
+[4.1.22] #17775
+ JspRuntimeContext
+ Grant web applications JSP pages a FilePermission to read the web application
+ context directory in addition to its contents.
============================
KNOWN ISSUES IN THIS RELEASE:
1.48 +22 -7 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
Index: WebappClassLoader.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -r1.47 -r1.48
--- WebappClassLoader.java 10 Oct 2002 22:04:24 -0000 1.47
+++ WebappClassLoader.java 8 Mar 2003 14:20:45 -0000 1.48
@@ -475,14 +475,27 @@
* @param path file directory path
*/
public void addPermission(String path) {
+ if (path == null) {
+ return;
+ }
+
if (securityManager != null) {
Permission permission = null;
if( path.startsWith("jndi:") || path.startsWith("jar:jndi:") ) {
+ if (!path.endsWith("/")) {
+ path = path + "/";
+ }
permission = new JndiPermission(path + "*");
+ addPermission(permission);
} else {
- permission = new FilePermission(path + "-","read");
+ if (!path.endsWith(File.separator)) {
+ permission = new FilePermission(path, "read");
+ addPermission(permission);
+ path = path + File.separator;
+ }
+ permission = new FilePermission(path + "-", "read");
+ addPermission(permission);
}
- addPermission(permission);
}
}
@@ -494,7 +507,9 @@
* @param url URL for a file or directory on local system
*/
public void addPermission(URL url) {
- addPermission(url.toString());
+ if (url != null) {
+ addPermission(url.toString());
+ }
}
1.31 +15 -28 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappLoader.java
Index: WebappLoader.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappLoader.java,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- WebappLoader.java 20 Sep 2002 21:20:44 -0000 1.30
+++ WebappLoader.java 8 Mar 2003 14:20:45 -0000 1.31
@@ -887,37 +887,28 @@
String contextRoot = servletContext.getRealPath("/");
if (contextRoot != null) {
try {
- contextRoot =
- (new File(contextRoot)).getCanonicalPath()
- + File.separator;
+ contextRoot = (new File(contextRoot)).getCanonicalPath();
classLoader.addPermission(contextRoot);
} catch (IOException e) {
// Ignore
}
}
- URL classesURL =
- servletContext.getResource("/WEB-INF/classes/");
- if (classesURL != null)
- classLoader.addPermission(classesURL);
-
+ URL classesURL = servletContext.getResource("/WEB-INF/classes/");
+ classLoader.addPermission(classesURL);
URL libURL = servletContext.getResource("/WEB-INF/lib/");
- if (libURL != null) {
- classLoader.addPermission(libURL);
- }
+ classLoader.addPermission(libURL);
if (contextRoot != null) {
if (libURL != null) {
File rootDir = new File(contextRoot);
File libDir = new File(rootDir, "WEB-INF/lib/");
- String path = null;
try {
- path = libDir.getCanonicalPath() + File.separator;
+ String path = libDir.getCanonicalPath();
+ classLoader.addPermission(path);
} catch (IOException e) {
}
- if (path != null)
- classLoader.addPermission(path);
}
} else {
@@ -925,23 +916,19 @@
if (workDir != null) {
if (libURL != null) {
File libDir = new File(workDir, "WEB-INF/lib/");
- String path = null;
try {
- path = libDir.getCanonicalPath() + File.separator;
+ String path = libDir.getCanonicalPath();
+ classLoader.addPermission(path);
} catch (IOException e) {
}
- classLoader.addPermission(path);
}
if (classesURL != null) {
- File classesDir =
- new File(workDir, "WEB-INF/classes/");
- String path = null;
+ File classesDir = new File(workDir, "WEB-INF/classes/");
try {
- path = classesDir.getCanonicalPath()
- + File.separator;
+ String path = classesDir.getCanonicalPath();
+ classLoader.addPermission(path);
} catch (IOException e) {
}
- classLoader.addPermission(path);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org